Vulnerable code lies in glibc's internal function __gconv_translit_find, here's vulnerable part (from glibc's bugzilla):
[...] cp = __mempcpy (__stpcpy ((char *) newp->fname, runp->name), trans->name, name_len); if (need_so) memcpy (cp, ".so", sizeof (".so")); [...]
cp points after the NUL terminator, so the memcpy call does not actually append ".so", but copies four bytes starting after the terminating NUL character, not changing the string at all - and writing a single NUL byte after the end of the buffer.
pkexec binary is chosen as a target of this PoC. Main idea behind it is to take advantage of so called backward consolidation of a heap but since the size of chunk is fixed and always the same (".so" as 32bit pointer is equal to 0x6f732e00), so also memory leak found in pkexec had to be used to spray the heap.